1. Technical Field
The present invention relates generally to security in processing systems, and more particularly, to a methodology for installing binding information into an initial or replacement trusted device in a secured processing system.
2. Description of the Related Art
Present-day computing systems, and in particular large-scale server systems, often include support for running multiple virtual machines. The system may be a large-scale on-demand server system that executes hundreds of server instances on a single hardware platform to support customers with varying computing requirements. In the most flexible of these systems, multiple partitions, which may differ in operating system and application mix, are concurrently present in system memory and processes executing in each partition are run in an environment that supports their execution on a guest operating system. The virtual machine provides an environment similar enough to a real hardware platform that the operating system can run with little or no modification. A hypervisor (sometimes referred to as a virtual machine monitor) manages all of the virtual machines or partitions and abstracts system resources so that each partition provides a machine-like environment to each operating system instance.
To implement the above architectural goals, multiple processing modules and other devices are installed in a system, and each device generally supports one or more of the above-described partitions, although it is possible to share tasking on a partition between multiple devices. Groups of devices or an individual device may be associated with a particular customer and it is desirable to secure access to a device or group by only that customer including securing the devices from the manufacturer of the devices and system.
In order to provide security in such a system, devices must be bound to the system, avoiding removal and data mining that can occur by either extracting data from a device, or using a device to “impersonate” a system or portion thereof, from which it was extracted. Binding can be physical, i.e., the device is permanently attached to the system, or binding can be accomplished cryptographically, allowing for removable devices and networked systems. A platform credential is issued to a system (or particular trusted groups of devices within a system) only when the credential provider is certain that a trusted device has been validly bound to the system. The credential certifies that the platform embodies one or more trusted devices and therefore has the attributes associated therewith. Typically the certification is performed at the manufacturers site and the trusted devices are either permanently physically bound to the system, or are cryptographically bound to the system without possibility of field replacement.
The above-mentioned removable and networked devices provide protection from data tampering or impersonation by refusing to initiate in a system unless the device is crytographically bound to the system. The information associated with the binding is generally encrypted and is stored in non-volatile storage within the device by the manufacturer. With the above-described mechanism, only a trusted system can access data associated with or stored within a particular device, dramatically reducing the impact of misappropriation or misuse of removable devices. Further, data associated with a device (such as a stored context or “state” of one of the above-mentioned virtual machines) is secured by an encryption mechanism that requires a key that is stored within the associated device or devices. The two-layer mechanism: hardware binding and data encryption keyed to a particular device or devices provides a high level of security against data mining by misappropriation or misuse of removable devices.
When one of the devices fails or at initial installation of a trusted device into a system, the new device must be bound to the system in order for the device to initialize according to the above-described security methodology. If other devices having the desired security binding are present and operational in the system, binding information can be transferred from one of the other devices. However, if no other device is available with the desired binding, i.e., the last device with that binding has failed or only one such device was present in the system originally, then it is necessary for the binding to be established by other means, typically by returning the system to the manufacturer.
Field replacement mechanisms for replacing a trusted device cause potential exposure of the system to unauthorized or modified hardware. Therefore, it is desirable that the replacement techniques be at least as secure as the operational security scheme, again typically requiring return of the device to the manufacturer.
One method of attacking a system with bound devices is to remove a device during the binding process or otherwise rendering a device “unbound” and attempting to install the device on another system. Also, failure could occur during the binding process that may compromise the integrity of the system by causing a device to appear to be secured to a particular platform when it is not.
Therefore, it would be desirable to provide a field-replacement mechanism for binding replacement devices to a system in a secure manner when no other device with the desired binding is present in the system. It would further be desirable to provide a valid credential to the platform when an initial trusted device is installed and only when the trusted device is known to be validly bound to the system. It would further be desirable to provide a secure binding method that is tolerant of failure or removal during the binding process.